Password Reset Mechanism Vulnerability in Zitadel Identity Infrastructure
CVE-2025-48936

8.1HIGH

Key Information:

Vendor: Zitadel
Status: Zitadel
Vendor: CVE Published:; 30 May 2025

What is CVE-2025-48936?

A vulnerability exists in the Zitadel identity infrastructure software related to its password reset mechanism. The software uses the Forwarded or X-Forwarded-Host header to create a password reset confirmation link sent via email, which includes a secret code for resetting the user's password. If an attacker successfully manipulates these headers through host header injection, they can craft a malicious password reset link that leads to an unauthorized domain. If a user clicks this link, the attacker could capture the secret reset code and gain unauthorized access to the user’s account. This vulnerability is effectively mitigated for accounts with Multi-Factor Authentication (MFA) or Passwordless authentication enabled. Users are urged to update to versions 2.70.12, 2.71.10, or 3.2.2, where this issue has been addressed.

Affected Version(s)

zitadel < 2.70.12 < 2.70.12

zitadel >= 2.71.0, <= 2.71.10 <= 2.71.0, 2.71.10

zitadel >= 3.0.0-rc1, < 3.2.2 < 3.0.0-rc1, 3.2.2

References

https://github.com/zitadel/zitadel/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/zitadel/zitadel/commit/c097887bc5f680e...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 30, 2025
Vulnerability Reserved
May 28, 2025